[Snort-users] Snort in a cluster
WilliamsJonathan at ...2134...
Fri Jul 9 07:46:06 EDT 2004
I'm glad to hear someone else is doing this. I was at a conference and
talking with the Sourcefire tech guy, and when I mentioned that we were
doing this, he looked at me as if I'd just stepped off a spaceship.
Even after I'd explained what we were doing (i.e. better performance of
any any -> any any rules, stripping out sections of aggregated taps,
etc.), he still didn't seem to grasp that someone would want to do this.
It does work quite well, though. I've got three individual boxes that
are each monitoring 80-90 mbps sustained, the traffic coming from 40 or
50 ethernet taps. Much cheaper than buying one computer for each tap or
mucking about with multiple interfaces in a single box.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael
Sent: Friday, July 09, 2004 9:24 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort in a cluster
On Fri, Jul 09, 2004 at 02:01:44PM +0100, you wrote:
>If you need more power for snort than a single CPU can provide, you
>probably want to be looking at having multiple sensors and a IDS
>load-balancing solution (e.g. Radware or Top Layer).
Or you can adjust the pcap filter so snort sees less traffic. I've had
good success running multiple snorts on one system where each sees part
of the traffic and together they can keep up with a faster link than a
single process trying to watch everything.
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital
self defense, top technical experts, no vendor pitches, unmatched
networking opportunities. Visit www.blackhat.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users